Pierre-Yves Chibon wrote: > I'm more worried about it relying on GPG at the moment considering the state of > the SKS network [1]. > What are the changes that we end up breaking a build if we suddenly get a > poisoned key? Are we going to break just a build or could this have more > annoying consequences? The build doesn't access any key servers. The packager must obtain the correct key and include it in the source package. Normally the packager should download the keyring directly from the upstream website over HTTPS. If upstream doesn't provide such a keyring (which would be rather dumb), then the packager might fetch a key from a keyserver. In that case a problem with the SKS network could prevent the packager from obtaining the key. This would only be a problem when the packager initially obtains the key, not when they update the package to a new version, and certainly not on every build. Upstream can solve the problem by publishing a keyring, taking keyservers out of the picture entirely. Note that a packager who gets a key from a keyserver has a problem with verifying that the key they received is the correct one, as anyone can upload any key to a keyserver. That's the primary reason why upstream projects should publish their keys on their own websites. Björn Persson
Attachment:
pgpavhC3xRewy.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
